vsphere integrated containers v3.0
TRANSCRIPT
Hardware
OS Kernel
OS File system
Use
rspa
ce
Container
App
pro
cess
App
pro
cess
App
pro
cess
App
pro
cess
App
pro
cess
Container
App
pro
cess
App
pro
cess
Introduction To Linux Containers OS-level Isolation • Isolation at individual kernel subsystem level
(e.g. filesystem, process table, etc) • User-level process (LXC, libcontainer)
orchestrates these subsystems to create a container
Existed for Many Years Solaris Zones, FreeBSD Jails, OpenVZ
Why? • Process isolation • Reproducible environment
• Enables management at scale
3 CONFIDENTIAL
Because There Are Still Many Challenges with Containers
6
CONTAINERS IN DEVELOPMENT
CONTAINERS IN PRODUCTION
THE “LEARNING CLIFF”
Source: https://twitter.com/mfdii/status/697532387240996864
High Availability
Security
Disaster Recovery
Monitoring
Diagnosis
Repeatable Deployments
Portability
Accounting
Docker Docker
@cloudnativeapps #vmwcna CONFIDENTIAL
Physical Hardware
Linux
Container Engine
C C C
Container Deployment On Bare Metal
Linux
Container Engine
C C C
7 CONFIDENTIAL
Linux
Container Engine
C C C
VM
vSphere
Basic Approach
Container Deployment In VMs
• Prediction of VM size during creation / Resizing to meet demand
• Restricted visibility when troubleshooting
• Inability to reclaim unused resources
8 CONFIDENTIAL
Linux
Container Engine
C C C
VM
Linux Kernel
Linux Kernel
Linux Kernel
vSphere
Virtual Container Host
Introducing The vSphere Integrated Containers Engine
9 CONFIDENTIAL
Full Visibility Proven Security Mature Ecosystem
Developer Portable
Fast Light
Security Visibility Management
IT
vSphere
Linux Kernel
Linux Kernel
Linux Kernel
C C C VM
Virtual Container Host
10 CONFIDENTIAL
Photon OS - Secure Container Runtime Container Optimized Linux OS
Docker, Rocket and Garden (Pivotal) support Minimal footprint to run containers
vSphere and Photon Platform Integration Boots in 6 sec.
Hypervisor-optimized container runtime
Updates from VMware Enterprise support
Security and update patches from VMware
Open Source GPL v2 License
1.0 released June 2016 CONFIDENTIAL 11
Virtual Container Host
Endpoint VM
vSphere Integrated Containers Engine – In Detail
Linux Kernel
Container VM
Traditional App Guest OS
Traditional App Guest OS
Container VM Container VM
Traditional App Guest OS
Container VM
Virtual Container Host
Endpoint VM Linux Kernel
Container VM
Container VM Container VM
Container VM
vSphere Administrator Creates a Virtual Container Host
Developer connects and issues a Docker run command
Developer connects and issues a Docker run command
12 CONFIDENTIAL
What Developers Want
Light
What IT Ops Needs
Data Persistence
Rich SLAs Portable Fast
Consistent Management
VM, vSphere Distributed
Switch, NSX
vVols, VSAN
vSphere DRS, I/O Controls
vCenter Server
• Run Standard Containers Formats and integrated with Developer Tools • Common APIs for Orchestration • Container in Seconds
• Isolation and Multi-Tenancy • Network Provisioning and Configuration • Choice of Storage and Guarantee of Services • Align SLAs per Workload • Manage with Existing Tool Sets
Open container formats +
orchestration APIs
Instant Clone, fast
boot
Photon OS
VMware Validation and Differentiation – Giving the Best of Both World (Developers and IT Ops)
Network & Security
18 @cloudnativeapps #vmwcna
CONFIDENTIAL
VCENTER SERVER
PORTABLE + FAST + LIGHT
NSX
vSAN
VCH 1 VCH 2
CONSISTENT MGMT + RICH SLAS
VM
VM
VM
VM
VM
VM
VM
VM
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM Container VM Linux Kernel VM Traditional VM
NETWORK + SECURITY
DATA PERSISTENCE
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
CONTAINER ENDPOINT CONTAINER ENDPOINT
vSphere Integrated Containers Engine
19 CONFIDENTIAL
VCENTER SERVER
PORTABLE + FAST + LIGHT
NSX
vSAN
VCH 1 VCH 2
CONSISTENT MGMT + RICH SLAS
VM
VM
VM
VM
VM
VM
VM
VM
REGISTRY
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM Container VM Linux Kernel VM Traditional VM
NETWORK + SECURITY
DATA PERSISTENCE
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
CONTAINER ENDPOINT CONTAINER ENDPOINT
vSphere Integrated Containers – Enterprise Registry
20 CONFIDENTIAL
Introduction of Harbor : Enterprise-Class Registry
An open source enterprise class private registry. Part of VIC, and it also can be used independently. Why does one need a private registry? • Efficiency
– LAN vs WAN
• Security – Intellectual property stays in organization – Access Control
21 CONFIDENTIAL
Harbor Key Features • User management & access control
– RBAC: admin, developer, guest – AD/LDAP integration
• Policy based image replication
• Web UI • Audit and logs
• Restful API for integration • HA with vSAN
• Lightweight and easy deployment
22 CONFIDENTIAL
Explaining Harbor Architecture
Basic Registry (Docker Distribution)
Docker Client
Reverse Proxy
(Nginx) API
Harbor
Browser
Auth
UI
DB
AD / LDAP
Admin Server
Log Collector
Replication Service
Remote Harbor
23 CONFIDENTIAL
Role Based Access Control Project
Members Images
Guest:
Developer:
Admin:
${Project}/ubuntu:14.04${Project}/nginx:1.8, 1.9${Project}/golang:1.6.2${Project}/redis:3.0
…...
docker pull ...
docker pull/push ...
24 CONFIDENTIAL
Image Replication between Registry Instances
Project
Images
Policy
Image
Project
Images
Initial replication
Image
Incremental replication(including image deletion)
25 CONFIDENTIAL
Policy of Image Replication (1) – Master Slave • Image distribution • Load balancing
26
Master – Slave
Docker Client
push
CONFIDENTIAL
Policy Image Replication (3) – Master Master • Load Balancing • Active-Active
28
Master - Master
Docker Client
push
Docker Client
push
CONFIDENTIAL
VCENTER SERVER
PORTABLE + FAST + LIGHT
NSX
vSAN
VCH 1 VCH 2
CONSISTENT MGMT + RICH SLAS
VM
VM
VM
VM
VM
VM
VM
VM
REGISTRY
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM Container VM Linux Kernel VM Traditional VM
NETWORK + SECURITY
DATA PERSISTENCE
C-VM C-VM C-VM
C-VM C-VM C-VM
C-VM C-VM C-VM
CONTAINER ENDPOINT CONTAINER ENDPOINT
CONTAINER MANAGEMENT PORTAL
vSphere Integrated Containers – Container Management Portal
31 CONFIDENTIAL
Admiral: Container Management Portal
• An open source container management portal
• Part of VIC product, and it also can be used independently with other solutions
• Container management available via both API and UI
• Integration with vRealize platform is also available – accepting beta nominations!
32 CONFIDENTIAL
Provisioning of Container Hosts
33
• Mapping to deployment policies
• Usage of pre-defined resource pools
• Security credentials storage
• Custom properties for affinity rules or any extensibility use cases
• VCH can be added as well
CONFIDENTIAL
Resource Pools and Policies
34
• Resource pools between different teams
• Deployment policies for the consumption of resource pools
• Affinity and anti-affinity policies for deployment
CONFIDENTIAL
Container Provisioning from Templates
35
• Different registries can be used with Project Admiral
• Docker compose import / export support is available
• Containers can be provisioned from images or templates
• vSphere Integrated Containers (VIC) provisioning also supported
CONFIDENTIAL
Auto Discovery of Containers
36
• Visibility of ports and last commands
• Mapping to specific container hosts
• Both container and application views available
CONFIDENTIAL
Container Details and Lifecycle Actions
37
• Visibility into resources – CPU, memory, network
• Information about IP address, image used
• Executed commands on containers with log details
CONFIDENTIAL
vRealize Integration with Project Admiral
38
• Model application using containers as a first-class blueprint object
• Import from Docker compose as a starting point
• Mix containers and VMs in the same blueprint
• Configure networking and security options
• Configure persistent storage • Specify dynamic placement
policies
CONFIDENTIAL
The Best Way To Run Containers On vSphere
Run Containers Natively Alongside Existing Workloads Provision containers natively on vSphere with fine grain controls while giving developers the portability, speed and agility they want
Combine Portability with Security, Visibility and Management Leverage the core capabilities of vSphere to run containers in production
Leverage Your Existing Infrastructure, Scale Easily. Avoid costly and time consuming re-architecture of your infrastructure that results in silos. Scale application deployments instantly.
vSphere Integrated Containers
CONFIDENTIAL 40
Docker compatible interface
Container management portal
Enterprise-class Container registry
Familiarity of vSphere
No new tooling or technologies
Full enterprise-grade power of the Software-Defined Data Center
vSphere Integrated Containers – Enabling the Best of Both Worlds
41 CONFIDENTIAL